On Fri, Jan 28, 2011 at 2:28 PM, tsuraan <[email protected]> wrote: >> My understanding is that the issue with zero timeouts has to do with >> resistance to DOS attacks, specifically things like slowloris >> (http://ha.ckers.org/slowloris/). If you don't time out then I think >> you're automatically vulnerable to this attack. > > That is true. I wonder if it would be possible to only have a timeout > apply to only the time it takes for receiving HTTP headers; for my > purposes (and I'm guessing it's pretty common), that would be > sufficient to determine whether the connection is authorized, which > can at least provide some protection against DOS. If timeouts are > disabled entirely, it would still be possible to wrap a timeout around > the getCookie function to provide that much functionality, right?
I think that would still be trivially exploitable by anyone who knew about it. It seems like that kind of work would just lead to a false sense of security. > >> There may be an >> argument for allowing it to be disabled though. In our tests, the >> timeout code imposes a pretty substantial performance penalty, so if >> we supported disabling it, we'd also probably want to do it in such a >> way that the timeout code wouldn't even be executed. This would be a >> logical thing to do to get maximum performance from servers of web >> services behind firewalls that are not exposed to malicious clients. > > If disabling timeouts could provide a performance boost, that would > certainly be a good argument to allowing for a setTimeout of 0 rather > than just doing it with a really high number. Assuming the other > trade-offs make sense, of course. > It might need to be done with a compile-time flag instead of a runtime check for zero. _______________________________________________ Snap mailing list [email protected] http://mailman-mail5.webfaction.com/listinfo/snap
